Lawmakers push HHS to treat ransomware attacks differently
A bipartisan pair of lawmakers is calling on the Department of Health and Human Services (HHS) to treat ransomware attacks in the healthcare industry differently than other cyber attacks.
“In the case of a ransomware attack, the threat is not usually to privacy, but typically to operational risks to health systems and potential impacts on safety, and service,” Reps. Ted Lieu (D-Calif.) and Will Hurd (R-Texas) wrote in a letter to Deven McGraw, deputy director for health information policy at HHS’s Office of Civil Rights.
Ransomware illicitly encrypts files, and demands money to unlock them. The lawmakers said the current requirements — to notify patients and offer free credit counseling after breaches — only make sense if patient files are the ones encrypted or otherwise affected in the attack.
The lawmakers advised HHS issue a guidance to healthcare providers that "aggressively requires" reporting ransomware to the federal government and industry information sharing groups to prevent further attacks.
Lieu and Hurd also suggested HHS tell organizations to wipe their hard drives after a breach, whether or not data was modified.